公開している web サーバのログから通常のアクセスではない通信について分析しました。
4月に大量にあったphpMyAdminを調査する通信は今月はなかったです。
多かったリクエスト
Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性
下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
/webui/
GeoServerの脆弱性
GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX:RCE 攻撃が観測されている – IoT OT Security News
/geoserver/web/
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
ここ数年ずっと検知されていましたが、今月はパターンが増えていたので改めて気を付けてください。
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php
/lib/phpunit/Util/PHP/eval-stdin.php
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php
/vendor/phpunit/Util/PHP/eval-stdin.php
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/phpunit/Util/PHP/eval-stdin.php
/phpunit/Util/PHP/eval-stdin.php
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
不審な通信の一覧
| uri | count |
|---|---|
| /robots.txt | 1937 |
| /.env | 392 |
| /favicon.ico | 356 |
| /sw.js | 248 |
| /ads.txt | 233 |
| /wp-login.php | 177 |
| /.git/config | 149 |
| /app-ads.txt | 112 |
| mstshash=Administr | 103 |
| /index.xml | 80 |
| /webui/ | 60 |
| /geoserver/web/ | 57 |
| //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 49 |
| /manifest.js | 48 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 46 |
| /admin/config.php | 45 |
| /actuator/gateway/routes | 41 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 41 |
| /_profiler/phpinfo | 40 |
| /.svn/entries | 36 |
| /dns-query | 34 |
| /.DS_Store | 34 |
| /sellers.json | 32 |
| /.well-known/security.txt | 30 |
| /owa/auth/logon.aspx | 27 |
| /info.php | 27 |
| /aab8 | 27 |
| /.env.production | 27 |
| /.env.prod | 27 |
| /resolve?name=example.com&type=A | 26 |
| /resolve | 26 |
| /query?name=example.com&type=A | 26 |
| /query | 26 |
| /dns-query?name=example.com&type=A | 26 |
| /config.json | 26 |
| /admin.php | 26 |
| /.vscode/sftp.json | 26 |
| /app/.env | 24 |
| /wp-content/ | 23 |
| /redmine/.env | 23 |
| /laravel/.env | 23 |
| /api/.env | 23 |
| /admin/.env | 23 |
| /index.php | 22 |
| /sdk | 21 |
| /phpinfo.php | 21 |
| /aaa9 | 21 |
| /HNAP1 | 21 |
| /wp-includes/ | 20 |
| /debug/default/view?panel=config | 20 |
| /core/.env | 20 |
| /actuator/health | 20 |
| /aab9 | 20 |
| /.well-known/ | 19 |
| /wp-content/uploads/ | 18 |
| /wp-content/themes/ | 18 |
| /wp-content/plugins/ | 18 |
| /wp-admin/ | 18 |
| /inputs.php | 18 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 18 |
| /css/ | 18 |
| /cgi-bin/orospucoc.cgi?user=messagebus&passwd=&cmd=15&system=cHMJfAlncmVwCW15ZGxpbms= | 18 |
| /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=cHMJfAlncmVwCW15ZGxpbms= | 18 |
| //.env | 18 |
| /.well-known/pki-validation/ | 18 |
| /.most/orospucoc.cgi?user=messagebus&passwd=&cmd=15&system=cHMJfAlncmVwCW15ZGxpbms= | 18 |
| /docker/.env | 17 |
| /about | 17 |
| /.most/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=cHMJfAlncmVwCW15ZGxpbms= | 17 |
| /v2/_catalog | 16 |
| /repeater.php | 16 |
| /menu.php | 16 |
| /manager/html | 16 |
| /dropdown.php | 16 |
| /class.api.php | 16 |
| /app/.git/config | 16 |
| /admin/.git/config | 16 |
| /.well-known/assetlinks.json | 16 |
| /.well-known/acme-challenge/ | 16 |
| /wp-content/plugins/core/include.php | 15 |
| /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 15 |
| /lib/phpunit/src/Util/PHP/eval-stdin.php | 15 |
| /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 15 |
| /lib/phpunit/phpunit/Util/PHP/eval-stdin.php | 15 |
| /lib/phpunit/Util/PHP/eval-stdin.php | 15 |
| /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 15 |
| /application/.git/config | 15 |
| /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 15 |
| /alfanew.php | 15 |
| /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 15 |
| /.well-known/apple-app-site-association | 15 |
| /.git/HEAD | 15 |
| /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /wp-content/plugins/press/wp-class.php | 14 |
| /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /vendor/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php | 14 |
| /vendor/phpunit/phpunit/LICENSE/eval-stdin.php | 14 |
| /vendor/phpunit/Util/PHP/eval-stdin.php | 14 |
| /tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /phpunit/phpunit/Util/PHP/eval-stdin.php | 14 |
| /phpunit/Util/PHP/eval-stdin.php | 14 |
| /panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /config/.git/config | 14 |
| /cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 14 |
| /blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 14 |
| /about.php | 14 |
| /wp-content/themes/finley/min.php | 13 |
| /wp | 13 |
| /wordpress | 13 |
| /static../.git/config | 13 |
| /start.asp | 13 |
| /sitemap.xml.gz | 13 |
| /simple.php | 13 |
| /old | 13 |
| /main.php | 13 |
| /login.action | 13 |
| /jquery-3.3.2.slim.min.js | 13 |
| /jquery-3.3.1.slim.min.js | 13 |
| /index.pl | 13 |
| /index.jsp | 13 |
| /index.jsa | 13 |
| /home.pl | 13 |
| /fm1.php | 13 |
| /default.pl | 13 |
| /default.jsa | 13 |
| /base.jsp | 13 |
| /base.jsa | 13 |
| /base.asp | 13 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 13 |
| /alfanew.php7 | 13 |
| /M1.php | 13 |
| //vendor/phpunit/phpunit/src/Util/Log/log.php | 13 |
| /.well-known/wso112233.php | 13 |
| pro.ip-api.com:443 | 12 |
| [\x22miner1\x22, | 12 |
| /wp-includes/SimplePie/plugins.php | 12 |
| /wp-includes/IXR/themes.php | 12 |
| /wp-includes/ID3/wp-login.php | 12 |
| /wp-includes/ID3/about.php | 12 |
| /wp-header.php | 12 |
| /wp-content/themes/about.php | 12 |
| /wp-content/plugins/alfa-rex.php | 12 |
| /wp-content/plugins/about.php | 12 |
| /workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 12 |
| /start.pl | 12 |
| /start.jsa | 12 |
| /start.cgi | 12 |
| /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 12 |
| /sftp-config.json | 12 |
| /sapi/debug/default/view | 12 |
| /readme.txt | 12 |
| /public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello | 12 |
| /pools/default/buckets | 12 |
| /pools | 12 |
| /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php | 12 |
| /new | 12 |
| /mysql/web/index.php?lang=en | 12 |
| /menu.shtml | 12 |
| /menu.pl | 12 |
| /menu.jsa | 12 |
| /menu.cfm | 12 |
| /menu.aspx | 12 |
| /main.jsa | 12 |
| /main.jhtml | 12 |
| /login | 12 |
| /localstart.jsp | 12 |
| /localstart.html | 12 |
| /localstart.cfm | 12 |
| /local/.env | 12 |
| /indice.php | 12 |
| /indice.jhtml | 12 |
| /indice.aspx | 12 |
| /indice.asp | 12 |
| /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello | 12 |
| /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/+/tmp/index1.php | 12 |
| /index.php?lang=../../../../../../../../tmp/index1 | 12 |
| /index.jhtml | 12 |
| /home.php | 12 |
| /home.jsa | 12 |
| /home.html | 12 |
| /home.cfm | 12 |
| /home.aspx | 12 |
| /frontend/web/debug/default/view | 12 |
| /docs/cplugError.html/ | 12 |
| /default.jsp | 12 |
| /debug/default/view | 12 |
| /db.json | 12 |
| /conf.json | 12 |
| /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 12 |
| /base.shtml | 12 |
| /base.pl | 12 |
| /base.jhtml | 12 |
| /base.cgi | 12 |
